Thanks Ken, however
all events are occurring from ONLY the affected user’s workstation. The logs
support this. Also, none of them have access to or ever use terminal services,
so it’s not a disconnected ts session either.
I agree entirely with
your statement that being logged on somewhere else is usually the case –
that’s why I haven’t been able to figure this one out yet.
-----Original
Message-----
From: Adams,
Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 08, 2003 3:08
PM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] account lockout
troubleshooting
I've
encountered similar lockout issues throughout my admin career. What I've
found the majority of the time is that the locked out account is logged onto a
PC continuously (i.e., an application specific PC that runs all the
time) and logs onto another PC as their primary work machine. When
the password is changed on the primary work PC, the continuously logged on PC
is not logged off to update the password. The continuously logged on PC
periodically attempts to validate the logon credentials and fails the
validation. This validation attempt happens quickly enough that the
account is locked after the specified number of invalid
attempts.
Check
with the affected users and have them be absolutely sure they are not logged
onto more than 1 PC.
Kenneth W. (Ken) Adams, MCSA,
MCSE
-----Original
Message-----
From:
Creamer, Mark
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 08, 2003 2:03
PM
To:
[EMAIL PROTECTED]
Subject: [ActiveDir] account lockout
troubleshooting
Hi folks,
I have been trying to troubleshoot
some lockout events. In every case, the event originates on the user’s own
workstation (not some other user). There are no associated file object
failures on the primary file server. It seems like it is application-based,
but I can’t nail it down. I’ve been using Microsoft’s AL tools, including
EventCombMT, but I can’t use the acctinfo.dll because the clients are Win9x.
Today I noticed for the first time
that on 2 DCs, the exact same 5 login failures occurred (one example
follows):
681,AUDIT FAILURE,Security,Tue Oct
07 13:13:38 2003,NT AUTHORITY\SYSTEM,The logon to account:
MYUSER by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation:
\\HIS_PC failed. The error code was:
3221225578
I was concerned that I didn’t
think it is normal that 2 DCs would log the same 5 logon failures at exactly
the same times. What do you think?
Thanks,
Mark
Creamer
Systems
Engineer
Cintas
Corporation
http://www.cintas.com
Honesty
and Integrity in Everything We Do